Australian legislation at the Federal and State and Territory levels provides some protection of privacy of personal information.
Privacy section in the Victorian Specific Module for ethical review
The Victorian Specific Module contains a special section on the Privacy Legislation.
Researchers (and anyone else who is collecting, disclosing or using health information) are required to provide specific information about how an individual's personal and health information is collected, stored, disclosed and used, to the individual concerned. Individuals must also be advised that they have a right of access to health information about them that is contained in records held in Victorian private and public sector organisations.
What is privacy?
The Privacy Act 1988 and the Information Privacy Principles (IPPs) govern the conduct of Commonwealth agencies in the ways those agencies collect, use, store and disclose personal information.
The Privacy Amendment (Private Sector) Act 2000 (the Amendment Act) was passed by Federal Parliament in December 2000. The Amendment Act extends the Privacy Act 1988 a protect personal information held by private sector organisations by requiring them to comply with National Privacy Principles (NPPs).
The NPPs govern the conduct of private sector organisations in the way those organisations collect, use, store and disclose personal information. The NPPs include stricter requirements for the handling of sensitive information, which includes, for example, an individual's health information, political opinions, religious beliefs, philosophical beliefs or criminal record. The IPPs and the NPPs govern the manner in which personal sensitive and health information can be collected, used or disclosed by Commonwealth and Private Sector Organisations.
In Victoria, two State Acts apply to the collection of personal and health information. The Information Privacy Act 2000 covers all personal information except health information in the public sector. This act adopts ten IPPs that are based on the NPPs set out in the Federal Amendment Act 2000.
The Health Records Act 2001, which came into effect on 1 July 2002, covers the handling of all personal information held by Health Service Providers in the Public and Private Sectors. This includes any information about a person's health or disability, information about the donation of body parts, organs or substances and genetic information. The Health Records Act contains a set of eleven principles adapted from the NPPs, the Health Privacy Principles (HPPs).
The Health Records Act creates a scheme to regulate the collection and handling of Health Information in Victoria. It:
- Establishes standards for the handling of health information which are to apply to personal health information collected used and held in the public and private sectors
- Gives individuals an enforceable right of access to their health records that are held by private sector organisations.
- The HPPs govern the collection, use, disclosure, quality, security, retention and transfer of and access to health information.
NHMRC Guidelines Under Section 95 Of The Privacy Act 1988 (Section 95 Guidelines)
Section 95 of the Privacy Act provides a process which acknowledges that in some circumstances the right to privacy must be weighed against justifiable interests that may benefit society as a whole.
The conduct of medical research can be one of these circumstances. Section 95 of the Privacy Act allows the NHMRC, with approval of the Federal Privacy Commissioner, to issue guidelines for the protection of privacy in the conduct of medical research.
It is a condition of approval of the section 95 guidelines that the Federal Privacy Commissioner must be satisfied that the public interest in the promotion of medical research outweighs, to a substantial degree, the public interest in privacy.
The Section 95 Guidelines establish a process by which HRECs may approve medical research proposals that involve the use or disclosure of personal information held by Commonwealth agencies without consent from the individual concerned. To approval a proposal, the HREC must decide that the public interest in the research outweighs, to a substantial degree, the public interest in the protection of privacy.
The NHMRC has also issued the Section 95A Guidelines which establish a process by which HRECs may approve proposals that involve the collection use or disclosure of health information held by private sector organisations without the consent from the individual concerned.
Statutory guidelines on research
The Victorian Health Services Commissioner is empowered by the Health Records Act 2001 to issue approval guidelines for the purposes of the HPPs. In a similar and parallel manner to the NHMRC Section 95 and Section 95(A) guidelines, the Victorian Health Services Commissioner has issued the Statutory Guidelines on Research for the purposes of HPPs 1.1 (e) (iii) and 2.2 (g) (iii). The guidelines relate to the collection use and disclosure of health information for the purposes of research or compilation or analysis of statistics which is in the public interest where:
- The purpose of the research of the compilation or analysis of statistics cannot be served by the collection use or disclosure of information that does not identify the individual in question or from which the individual's identity can not be reasonably ascertained
- Where it is impracticable to seek the individual's consent to the collection, use or disclosure.
Privacy legislation in Australia
If it is proposed to undertake medical research involving the collection, and/or use and/or disclosure of personal, sensitive or health information which is identified and without the consent of the individual whose information it is, this may involve a breach of one or more Privacy Principles.
Such research must be reviewed and approved by a properly constituted HREC. In reviewing such research, HRECs must apply the relevant research guidelines:
- Section 95 Guidelines, or
- Section 95A Guidelines, or
- Statutory Guidelines on Research